Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Risk Management

CyberGRX Partners With BitSight to Address Supply Chain Risks

Partnership Integrates BitSight’s Security Ratings Capabilities With CyberGRX Third-Party Cyber Risk Exchange

Partnership Integrates BitSight’s Security Ratings Capabilities With CyberGRX Third-Party Cyber Risk Exchange

The iconic Target breach of 2013 brought attention to the threat from third-party suppliers — the supply chain. Target was breached after its HVAC supplier, Fazio Mechanical Services, had itself been breached and had the credentials for accessing its customer stolen.

This threat has become more difficult and more complex as digital transformation has increased and cloud service providers have boomed. A single enterprise can now use several thousand different cloud services. According to Gartner research, a large enterprise’s network of vendors, partners, contractors and customers all with access to the corporate network can easily run into the tens of thousands. Any one of these can potentially introduce an unseen risk.

Managing this risk manually is impossible to do effectively — and several specialist companies have evolved to provide various degrees of automation. SecurityScorecard and BitSight are two companies that provide analyses of third-party vendors by analyzing their external face.

CyberGRX (GRX stands for global risk exchange) takes a different approach — it provides a ‘risk exchange’ based on a storehouse of validated third party risk assessments. According to CEO Fred Kneip, the firm is the brainchild of Jay Leek — then at Blackstone. “Jay was thinking about the inefficiencies of third party risk management across his portfolio. In an ad-hoc survey of his portfolio companies, he found that 90 of his 115 portfolio companies were using the exact same vendor. Fifty of those were doing a full blown assessment of that vendor every year.”

CyberGRX is the result of that observation. Rather than do 50 risk assessments of one vendor, do one assessment and share it across fifty companies. Where CyberGRX differs from SecurityScorecard and BitSight is that its risk assessments are internal rather than external affairs — the former looks at processes and controls in relation to vulnerabilities, while the latter looks at the third-party’s internet face.

CyberGRX and BitSight have now recognized the potential synergy between the two approaches.

On Monday they announced a partnership. “BitSight is a leader of the security ratings market, and their ability to continuously rate the security performance of third parties from an outside-in perspective will strengthen the CyberGRX Exchange,” said Kneip. “Combining their proven non-intrusive approach to evaluating risk and security performance with the inside-out view our platform provides is a powerful proposition for customers: a comprehensive, continuous, 360-degree view of third-party cyber risk exposure.”

Advertisement. Scroll to continue reading.

“Enterprises today require access to accurate, continuous and actionable information about third-party cyber risk,” added Jacob Olcott, VP of strategic partnerships at BitSight. “CyberGRX helps to solve that problem for companies across the world, and our security ratings provide the unique, objective data that organizations need to scale their third-party risk programs and make more informed business decisions.” 

CISOs now have somewhere to go to rate the risk associated with their supply chain without having to spend hours every day pouring over vendor-supplied spreadsheets or questionnaires; or ignoring the risk altogether through lack of time and manpower.

BitSight has raised more than $90 million in funding to-date, including $40 million in Series C financing in September 2016. Headquartered in Cambridge, Massachusetts, it was founded in 2011.

CyberGRX closed a $20M Series B funding round in April 2017. Headquartered in Denver, Colorado, it was founded in July 2016.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...